Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Antoine
New Contributor II

Created on ‎11-03-2020 10:49 AM

Subordinate CA certificate showed within local (end-entity), not within Fortinet CA certs

I have created a new certificate request for local certificates (using the GUI), using ECDSA p256 cryptographic parameters.

Then I signed it at my root CA with a template of subordinate CA (basic constraint cA:TRUE); and I imported the signed certificate back into the FG. Of course the certificate of the root CA is itself trusted by the FG.

However, the new certificate does not appear in the GUI along the "local CA certificates" as I would expect, rather along the other "certificates." Is it correct? or is it a simple GUI bug?

 

I do know that at the CLI level all those certificates are handled jointly, so I do not believe this could have a functional impact. Also I am able to correctly select the new (sub) CA for deep inspection, and it works flawlessly.

Labels:
3570
0 Kudos
3 REPLIES 3
boneyard
Valued Contributor

Created on ‎11-20-2020 01:55 AM

which version, in 6.2 i have the sub CA listed under: Remote CA Certificate

1916
0 Kudos
Antoine
New Contributor II
In response to boneyard

Created on ‎11-23-2020 11:50 AM

As I marked as a tag, I was seeing that on 6.0 (actually 6.0.11). However it seems to me the same thing is occurring on 6.2.5 as well: the sub-CA certificate which the device has the key for appears as "Local certificate".

 

Did you generate the private key for the subordinate CA on your device (as opposed to importing the Sub-CA certificate, along with its key, into the Fortigate)?

 

Also, I agree Sub-CA certificates for which the device does NOT have the private key would appear as "Remote CA"/"External CA" certificates, as one can expect (which is what confuses me, done for ones but not others.)

1916
0 Kudos
boneyard
Valued Contributor
In response to Antoine

Created on ‎02-07-2021 08:03 AM

yeah, sorry didnt notice the tag.

 

did some testing around this and you can make the argument it works ok, but you can also say it doesnt.

 

if you load a certificate with key it ends up at local.

 

if it is a the root CA it shows up at local CAs, if it is an intermediate / subordinate CA it ends up at certificates. doesnt seem to matter if a local key or imported key is used.

 

contact your Fortinet sales contact and request the sub CA category in the GUI

 

 

1916
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.